The Washington Privacy Act (WPA) and the California Consumer Privacy Act (CCPA) are two state acts out of the United States with similar aims - to protect the privacy of consumers living in their respective states.

Both Acts mirror the EU's General Data Protection Regulation (GDPR) by compelling businesses to be transparent about the way they collect and use consumer's data. They each have the potential to affect businesses around the globe because a company doesn't need a presence in either state for the Acts to apply.

We'll compare the WPA with the CCPA and help you to determine whether the Acts apply to your business and what's required to be compliant.


Overview of the California Consumer Privacy Act

The CCPA was signed into law June 28th 2018. The Act, which took effect on January 1st 2020, increases the rights of consumers with regard to their personal data and ensures businesses are upfront about how they collect and process this data. It also enables consumers to opt-out of the sale of their personal data.

Overview of the Washington Privacy Act

The WPA was introduced in January 2019, however it is not yet law. In March 2019 it was passed in the Senate by an overwhelming majority, but in April 2019 it failed to make the House floor for a vote.

However, the Bill's sponsor, Sen. Reuven Carlyle, took to Twitter to show the Senate's commitment to getting the Act passed in 2020.

Twitter post of Senator Reuven Carlyle about his commitment to WPA

If the WPA passes, Washington consumers would have the right to know who's using their data and why. Additionally, they'd be able to correct inaccurate personal information and stop the sale of their data.

How could these Acts affect your business? Let's consider who each Act applies to.

Who Does the California Consumer Privacy Act Apply to?

The CCPA applies to:

Businesses that collect and control the personal data of California residents and meet at least one of these conditions:

  1. Have gross revenue in excess of $25 million
  2. Annually buy, sell or disclose the personal information of 50,000 or more consumers, households or devices for commercial reasons, or
  3. Derive 50% or more of their annual revenues from selling the personal data of consumers

Your business will be exempt from compliance according to Section 1798.140 CCPA if:

"every aspect of commercial conduct takes place wholly outside of California"

This means no part of the sale or collection of an individual's personal information took place in California.

Not-for-profit businesses, healthcare companies and public sector offices are also exempt.

Who Does the Washington Privacy Act Apply to?

Section 4 of the Bill states that the WPA applies to businesses whose products or services are targeted at Washington consumers if the business:

  1. Controls or processes data of more than 100,000 consumers, or
  2. Derives at least 50% in revenue from the sale of personal data and processes or controls personal data of more than 25,000 consumers

What Does the California Consumer Privacy Act Require?

What Does the California Consumer Privacy Act Require?

Disclosure of Information - The CCPA requires businesses to disclose certain information to their customers in their Privacy Policy or at the point of the data collection. The information must include:

  • The consumer's rights under the CCPA
  • What information is collected and why it's collected
  • What personal data is disclosed or sold in the 12-month period after collection

Responding to Requests - Consumers will be able to request information from companies including:

  • Where the business collects personal data from
  • The categories and specific pieces of the data collected
  • What third parties the company discloses that information to

Timely Manner - Companies must disclose the information within 45 days of a request and free of charge.

Ease of Making Requests - Companies need to ensure their customers have a minimum of two ways to submit their information requests. For example, via their website and a toll-free telephone number.

Deletion of Data - The CCPA requires businesses to delete a consumer's personal data if the consumer asks for it to be deleted.

Opt-Out - The Act gives consumers the right to stop the sale of their data. Businesses must provide an 'opt-out' option by ensuring a 'clear and conspicuous link' called "Do Not Sell My Personal Information" is present on their website's homepage. In addition, businesses are not allowed to state that customers must have an account to opt out.

Big Cat Rescue has implemented this change by adding such a link to its site in the footer:

Big Cat Rescue website footer with links

Opt-In for Kids - the Act also creates the right to opt-in. Consumers under the age of 16 may opt in and companies must not sell their data unless they do. For consumers under 13 years old, the opt-in option is transferred to their parent or guardian.

Equal Service and Price - A key provision of the Act is the consumer's right to receive equal service and pricing from a business, regardless of whether or not they exercise their rights of privacy under the Act. The Act states that businesses must not 'discriminate' against customers who utilize the act. his includes denying services, charging a different price, changing the quality of their goods or services and suggesting that the customer will receive a different level of service or a different rate.

Are There Any Exceptions to the CCPA Requirements?

Equal Service and Price - A company can offer different levels of service or charge higher prices for their goods or services according to CCPA Section 3 1798.125 if:

"that difference is reasonably related to the value provided to the consumer by the consumer's data."

Deletion of Data - The most important exceptions to this requirement are that a business will not need to delete the consumer's personal data if it's necessary for the business to maintain it in order to:

  • Complete the transaction for which the personal information was collected
  • Detect security incidents or prosecute those responsible for them
  • Exercise free speech or ensure the consumer's right to exercise free speech
  • Comply with a legal obligation

The full list of exceptions can be found in Section 3 1798.105.

Financial Incentives - Businesses are permitted to offer financial incentives to consumers for the collection or sale of personal information.

Opt-Out Link - As long as a business has a separate homepage solely for California customers which includes the required 'Do Not Sell My Personal Information' link, they won't be required to include the link on their homepage. Realistically, this may not be practical.

What Does the Washington Privacy Act Require?

What Does the Washington Privacy Act Require?

The WPA requires businesses to be transparent about the personal information they hold about citizens of Washington state. Consumers would be able to find out what data was collected and if that personal data is being sold to a third party.

The main requirements for businesses are:

Privacy Notice/Privacy Policy - Section 7 of the Bill states that all affected businesses need to produce a Privacy Policy that informs consumers about:

  • The categories of personal data collected
  • The purposes for which the personal data is used and disclosed to third parties
  • The rights that consumers may exercise under the act
  • The categories of personal data the controller shares with third parties
  • The categories of third parties who share personal data with the controller
  • The processing method of data used for targeted advertising

Correction of Information - Companies would need to accept requests from customers to correct inaccurate information.

Deletion of Data - On request, your business would need to delete the customer's personal information.

Copies of Information - On request, your business would need to provide a copy of any personal information it holds about a consumer.

Timely Response - The WPA says there should be no undue delays and the controller should advise the consumer how they'll respond to any request in a timely manner. In addition, replies must be free of charge unless there are numerous requests.

Refusal of Marketing - A consumer can refuse to have their information used in direct marketing.

Communication of Changes - The WPA creates an onus on companies to inform third-party data recipients if the data they received has changed. For example, if the consumer said they don't want their data used in direct marketing, the third party should be told.

Risk Assessments - Your business would be required to complete a risk assessment of each of your processing activities involving personal data. According to Section 8 of the WPA:

"Such risk assessments must take into account the type of personal data including the extent to which the personal data is sensitive data and the context in which the personal data is to be processed."

Automated Decision Making - Companies should not base a decision solely on automated decision-making processes. Automated decision making can still be carried out, however controllers must safeguard consumers from having a decision made about them based only on automated decision making.

Facial Recognition Technology Restrictions - An interesting inclusion in the WPA is that it would restrict businesses from using facial-recognition technology without the consumer's consent. Two giant Washington-based corporations who would be affected by the restriction of facial recognition technology are Amazon and Microsoft.

Are There Any Exceptions to the WPA Requirements?

Employment Records - The WPA creates a specific exemption for employee records. All data maintained for employment record purposes is excluded from the requirements.

Disclosure of Data - If your business isn't able to verify a consumer's identity, it does not need to confirm what personal data it holds about them or advise if the data is being sold.

Anonymous Data - When disclosing data, your business does not have to re-identify any unidentified data.

Third Party Violations - Your business would not be liable for sharing data with a third party who proceeded to violate the Act unless your company knew the third party intended to breach the Act.

Similarly, your company would not be liable for receiving data from a third party who failed to meet the requirements of the Act.

Additionally, the Bill makes it clear that the requirements should not restrict your company's ability to:

  • Comply with the law or defend legal claims
  • Detect and prevent identity theft, fraud and security incidents
  • Carry out an agreed contract with a customer
  • Protect the consumer's interests
  • Process a consumer's personal data with their consent

What are the Similarities Between the Acts?

What are the Similarities Between the Acts?

Both Acts:

  1. Enable customers to find out what personal data a company has collected and to obtain a copy of that information.
  2. Place an onus on businesses to be proactive in telling their customers what specific types of personal information they collect and how that information is used.
  3. Give consumers the option to 'opt-out' of their personal data being sold to third parties.
  4. State that businesses must delete a consumer's personal data at their request.
  5. Require companies to keep collected personal data secure. This means businesses must have stringent security protocols in place to prevent data breaches.
  6. Have similar penalties for non-compliance. Businesses that don't comply with the WPA can be fined $2500 per unwitting violation and a maximum of $7500 for intentional breaches. Similarly, the CCPA has a civil penalty of up to $7500 per violation.
  7. Have a 30-day cure period, which gives companies 30 days to avoid a lawsuit by 'curing' a breach. Under the CCPA, a private individual cannot sue for damages until the 30-day period has expired.

What are the Differences Between the Acts?

What are the Differences Between the Acts?

  1. The definition of personal data is broader under the CCPA as it applies to information linked to a household and not just an individual. The WPA restricts the definition of personal data to information regarding an "identified person."
  2. The CCPA has a broader definition of the word "sale." Unlike the WPA, it doesn't limit the definition to the sharing of information "for purposes of licensing or selling personal data at the third party's discretion to additional third parties."
  3. The WPA limits how facial recognition technology can be utilized, but there are no similar provisions in the CCPA.
  4. Unlike the CCPA, the WPA includes a 'discrimination' provision which stops businesses from making final automated decisions. This does have exceptions.
  5. Although both Acts require companies to keep personal data secure, the WPA enhances the security required for "sensitive data," which includes data regarding religious beliefs, ethnic origin and sexual orientation.
  6. The CCPA enables private individuals to seek damages from companies that fail to protect their personal data due to inadequate security protocols. Each incident attracts damages between $100 and $750. This is in contrast to the WPA which doesn't grant any private right of action.
  7. The WPA excludes employee records from the definition of consumer, whereas the CCPA does not. However, the California State Assembly has requested that employees be excluded.

Summary

The WPA and the CCPA are similar in that they grant rights to consumers regarding the collection and use of their personal data.

Both Acts require businesses to inform consumers:

  • What data they collect about them
  • How they use the data
  • If the data is sold

They also allow consumers to opt-out of their data being sold.

To meet the requirements, it's important to know what personal information your business collects and develop methods of monitoring data sharing practices.

It's unclear if the WPA will become law, however the CCPA officially took effect in January 2020 and your business needs to be ready.